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Mr.  Chairman  and  Members  of  the  Committee: 

I  am  pleased  to  be  here  today  to  discuss  efforts  to  protect  federal  agency 
information  systems  and  our  nation’s  critical  computer-dependent 
infrastructures.  Federal  agencies,  and  other  public  and  private  entities, 
rely  extensively  on  computerized  systems  and  electronic  data  to  support 
their  missions.  Accordingly,  the  security  of  these  systems  and  data  is 
essential  to  avoiding  disruptions  in  critical  operations,  data  tampering, 
fraud,  and  inappropriate  disclosure  of  sensitive  information. 

Today,  I  will  provide  an  overview  of  our  recent  reports  on  federal 
information  security  and  critical  infrastructure  protection.  Specifically,  I 
will  summarize  the  pervasive  nature  of  federal  system  weaknesses,  outline 
the  serious  risks  to  federal  operations,  and  then  detail  the  specific  types  of 
weaknesses  identified  at  federal  agencies.  I  will  also  discuss  the 
importance  of  establishing  a  strong  agencywide  security  management 
framework  and  how  new  evaluation  and  reporting  requirements  can 
improve  federal  efforts.  Next,  I  will  provide  an  overview  of  the  strategy 
described  in  Presidential  Decision  Directive  (PDD)  63  for  protecting  our 
nation’s  critical  infrastructures  from  computer-based  attacks.  Finally,  I 
will  summarize  the  results  of  our  recent  report  on  the  National 
Infrastructure  Protection  Center  (NIPC),  an  interagency  center  housed  in 
the  Federal  Bureau  of  Investigation  (FBI),  which  is  responsible  for 
providing  analysis,  warning,  and  response  capabilities  for  combating 
computer-based  attacks. 


Results  in  Brief 

Because  of  our  government’s  and  our  nation’s  reliance  on  interconnected 
computer  systems  to  support  critical  operations  and  infrastructures,  poor 
information  security  could  have  potentially  devastating  implications  for 
our  country.  Despite  the  importance  of  maintaining  the  integrity, 
confidentiality,  and  availability  of  important  federal  computerized 
operations,  federal  computer  systems  are  riddled  with  weaknesses  that 
continue  to  put  critical  operations  and  assets  at  risk.  In  particular,  federal 
agencies  continue  to  have  deficiencies  in  their  entitywide  security 
programs  that  are  critical  to  their  success  in  ensuring  that  risks  are 
understood  and  that  effective  controls  are  selected  and  implemented.  The 
new  information  security  provisions  that  you,  Mr.  Chairman,  and  Senator 
Thompson  originally  introduced  as  legislation  will  be  a  major  catalyst  for 
federal  agencies  to  improve  their  security  program  management.  To  help 
maintain  the  momentum  that  the  new  information  security  reform 
provisions  have  generated,  federal  agencies  must  act  quickly  to  implement 
strong  security  program  management. 
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A  key  element  of  the  strategy  outlined  in  PDD  63  was  establishing  the 
NIPC  as  “a  national  focal  point”  for  gathering  information  on  threats  and 
facilitating  the  federal  government’s  response  to  computer-based 
incidents.  The  NIPC  has  initiated  a  variety  of  critical  infrastructure 
protection  efforts  that  establish  a  foundation  for  future  governmentwide 
efforts.  However,  the  analytical  and  information-sharing  capabilities  that 
PDD  63  asserts  are  needed  to  protect  the  nation’s  critical  infrastructures 
have  not  yet  been  achieved.  We  made  various  recommendations  to  the 
Assistant  to  the  President  for  National  Security  Affairs  and  the  Attorney 
General  regarding  the  need  to  more  fully  define  the  role  and 
responsibilities  of  the  NIPC,  develop  plans  for  establishing  analysis  and 
warning  capabilities,  and  formalize  information-sharing  relationships  with 
private-sector  and  federal  entities.  To  improve  our  nation’s  ability  to 
respond  to  computer-based  incidents,  the  administration  should  consider 
these  recommendations  as  it  reviews  how  the  government  is  organized  to 
deal  with  information  security  issues. 


Background 

Dramatic  increases  in  computer  interconnectivity,  especially  in  the  use  of 
the  Internet,  are  revolutionizing  the  way  our  government,  our  nation,  and 
much  of  the  world  communicate  and  conduct  business.  The  benefits  have 
been  enormous.  Vast  amounts  of  information  are  now  literally  at  our 
fingertips,  facilitating  research  on  virtually  every  topic  imaginable; 
financial  and  other  business  transactions  can  be  executed  almost 
instantaneously,  often  on  a  24-hour-a-day  basis;  and  electronic  mail, 
Internet  web  sites,  and  computer  bulletin  boards  allow  us  to  communicate 
quickly  and  easily  with  a  virtually  unlimited  number  of  individuals  and 
groups. 

In  addition  to  such  benefits,  however,  this  widespread  interconnectivity 
poses  significant  risks  to  our  computer  systems  and,  more  important,  to 
the  critical  operations  and  infrastructures  they  support.  For  example, 
telecommunications,  power  distribution,  public  health,  national  defense 
(including  the  military’s  warfighting  capability),  law  enforcement, 
government,  and  emergency  services  all  depend  on  the  security  of  their 
computer  operations.  Likewise,  the  speed  and  accessibility  that  create  the 
enormous  benefits  of  the  computer  age,  if  not  properly  controlled,  allow 
individuals  and  organizations  to  inexpensively  eavesdrop  on  or  interfere 
with  these  operations  from  remote  locations  for  mischievous  or  malicious 
purposes,  including  fraud  or  sabotage. 

Reports  of  attacks  and  disruptions  are  growing.  The  number  of  computer 
security  incidents  reported  to  the  CERT  Coordination  Center®  (CERT- 
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CC)1  rose  from  9,859  in  1999  to  21,756  in  2000.  For  the  first  6  months  of 
2001,  15,476  incidents  were  reported.  As  the  number  of  individuals  with 
computer  skills  has  increased,  more  intrusion  or  “hacking”  tools  have 
become  readily  available  and  relatively  easy  to  use.  A  potential  hacker  can 
literally  download  tools  from  the  Internet  and  “point  and  click”  to  start  a 
hack.  According  to  a  recent  National  Institute  of  Standards  and 
Technology  publication,  hackers  post  30  to  40  new  tools  to  hacking  sites 
on  the  Internet  every  month. 

Recent  attacks  over  the  past  2  months  illustrate  the  risks.  These  attacks, 
referred  to  as  Code  Red,  Code  Red  II,  and  SirCam,  have  affected  millions 
of  computer  users,  shut  down  Web  sites,  slowed  Internet  service,  and 
disrupted  business  and  government  operations.  They  have  already 
reportedly  caused  billions  of  dollars  of  damage,  and  their  full  effects  have 
yet  to  be  completely  assessed.  Code  Red  attacks  have  reportedly  (1) 
caused  the  White  House  to  change  its  website  address,  (2)  forced  the 
Department  of  Defense  (DOD)  to  briefly  shut  down  its  public  websites,  (3) 
infected  Treasury’s  Financial  Management  Service  causing  it  to  disconnect 
its  systems  from  the  Internet,  (4)  caused  outages  for  users  of  Qwest’s  high¬ 
speed  Internet  service  nationwide,  and  (5)  delayed  FedEx  package 
deliveries.  Our  testimony  last  month  provides  further  details  on  the  nature 
and  impact  of  these  attacks." 

These  are  just  the  latest  episodes.  The  cost  of  last  year’s  ILOVEYOU  virus 
is  now  estimated  to  be  more  than  $8  billion.  Other  incidents  reported  in 
2001  illustrate  the  problem  further: 

•  A  hacker  group  by  the  name  of  “PoizonBOx”  defaced  numerous 
government  web  sites,  including  those  of  the  Department  of 
Transportation,  the  Administrative  Office  of  the  U.S.  Courts,  the  National 
Science  Foundation,  the  National  Oceanic  and  Atmospheric 
Administration,  the  Princeton  Plasma  Physics  Laboratory,  the  General 
Services  Administration,  the  U.S.  Geological  Survey,  the  Bureau  of  Land 
Management,  and  the  Office  of  Science  &  Technology  Policy.  (Source: 
Attrition.org.,  March  19,  2001.) 

•  The  “Russian  Hacker  Association”  offered  over  the  Internet  an  e-mail 
bombing  system  that  would  destroy  a  person’s  “web  enemy”  for  a  fee. 
(Source:  UK  Ministry  of  Defense  Joint  Security  Coordination  Center.) 


'CERT  Coordination  Center®  is  a  center  of  Internet  security  expertise  located  at  the 
Software  Engineering  Institute,  a  federally  funded  research  and  development  center 
operated  by  Carnegie  Mellon  University. 

: Information  Security:  Code  Red,  Code  Red  II,  and  SirCam  Attacks  Highlight  Need  for 
Proactive  Measures  (GAO-01-1073T,  August  29,  2001). 
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Government  officials  are  increasingly  concerned  about  attacks  from 
individuals  and  groups  with  malicious  intent,  such  as  crime,  terrorism, 
foreign  intelligence  gathering,  and  acts  of  war.  According  to  the  FBI, 
terrorists,  transnational  criminals,  and  intelligence  services  are  quickly 
becoming  aware  of  and  using  information  exploitation  tools  such  as 
computer  viruses,  Trojan  horses,  worms,  logic  bombs,  and  eavesdropping 
sniffers  that  can  destroy,  intercept,  or  degrade  the  integrity  of  and  deny 
access  to  data."  As  greater  amounts  of  money  are  transferred  through 
computer  systems,  as  more  sensitive  economic  and  commercial 
information  is  exchanged  electronically,  and  as  the  nation’s  defense  and 
intelligence  communities  increasingly  rely  on  commercially  available 
information  technology,  the  likelihood  that  information  attacks  will 
threaten  vital  national  interests  increases.  In  addition,  the  disgruntled 
organization  insider  is  a  significant  threat,  since  such  individuals  with  little 
knowledge  about  computer  intrusions  often  have  knowledge  that  allows 
them  to  gain  unrestricted  access  and  inflict  damage  or  steal  assets. 


Weaknesses  in 
Federal  Systems 
Remain  Pervasive 

Since  1996,  our  analyses  of  information  security  at  major  federal  agencies 
have  shown  that  federal  systems  were  not  being  adequately  protected 
from  computer-based  threats,  even  though  these  systems  process,  store, 
and  transmit  enormous  amounts  of  sensitive  data  and  are  indispensable  to 
many  federal  agency  operations.  In  September  1996,  we  reported  that 
serious  weaknesses  had  been  found  at  10  of  the  15  largest  federal 
agencies,  and  we  concluded  that  poor  information  security  was  a 


: These  terms  are  defined  as  follows:  Virus:  a  program  that  “infects”  computer  files,  usually 
executable  programs,  by  inserting  a  copy  of  itself  into  the  file.  These  copies  are  usually 
executed  when  the  “infected”  file  is  loaded  into  memory,  allowing  the  virus  to  infect  other 
files.  Unlike  the  computer  worm,  a  virus  requires  human  involvement  (usually  unwitting)  to 
propagate.  Trojan  horse:  a  computer  program  that  conceals  harmful  code.  A  Trojan  horse 
usually  masquerades  as  a  useful  program  that  a  user  would  wish  to  execute.  Worm:  an 
independent  computer  program  that  reproduces  by  copying  itself  from  one  system  to 
another  across  a  network.  Unlike  computer  viruses,  worms  do  not  require  human 
involvement  to  propagate.  Logic  bombs:  in  programming,  a  form  of  sabotage  in  which  a 
programmer  inserts  code  that  causes  the  program  to  perform  a  destructive  action  when 
some  triggering  event  occurs,  such  as  terminating  the  programmer’s  employment.  Sniffer. 
synonymous  with  packet  sniffer.  A  program  that  intercepts  routed  data  and  examines  each 
packet  in  search  of  specified  information,  such  as  passwords  transmitted  in  clear  text. 
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widespread  federal  problem  with  potentially  devastating  consequences.4  In 
1998  and  in  2000,  we  analyzed  audit  results  for  24  of  the  largest  federal 
agencies;  both  analyses  found  that  all  24  agencies  had  significant 
information  security  weaknesses.5  As  a  result  of  these  analyses,  we  have 
identified  information  security  as  a  govemmentwide  high-risk  issue  in 
reports  to  the  Congress  since  1997 — most  recently  in  January  2001. b 

Our  most  recent  analysis,  last  April,  of  reports  published  since  July  1999, 
showed  that  federal  computer  systems  continued  to  be  riddled  with 
weaknesses  that  put  critical  operations  and  assets  at  risk.'  Weaknesses 
continued  to  be  reported  in  each  of  the  24  agencies  covered  by  our  review, 
and  they  covered  all  six  major  areas  of  general  controls — the  policies, 
procedures,  and  technical  controls  that  apply  to  all  or  a  large  segment  of 
an  entity’s  information  systems  and  help  ensure  their  proper  operation. 
These  six  areas  are  (1)  security  program  management,  which  provides  the 
framework  for  ensuring  that  risks  are  understood  and  that  effective 
controls  are  selected  and  properly  implemented,  (2)  access  controls, 
which  ensure  that  only  authorized  individuals  can  read,  alter,  or  delete 
data,  (3)  software  development  and  change  controls,  which  ensure  that 
only  authorized  software  programs  are  implemented,  (4)  segregation  of 
duties,  which  reduces  the  risk  that  one  individual  can  independently 
perform  inappropriate  actions  without  detection,  (5)  operating  systems 
controls,  which  protect  sensitive  programs  that  support  multiple 
applications  from  tampering  and  misuse,  and  (6)  service  continuity,  which 
ensures  that  computer-dependent  operations  experience  no  significant 
disruptions. 

Our  April  analysis  also  showed  that  the  scope  of  audit  work  performed  has 
continued  to  expand  to  more  fully  cover  all  six  major  areas  of  general 
controls  at  each  agency.  Not  surprisingly,  this  has  led  to  the  identification 
of  additional  areas  of  weakness  at  some  agencies.  While  these  increases  in 
reported  weaknesses  are  disturbing,  they  do  not  necessarily  mean  that 
information  security  at  federal  agencies  is  getting  worse.  They  more  likely 
indicate  that  information  security  weaknesses  are  becoming  more  fully 


4 

Information  Security:  Opportunities  for  Improved  OMB  Oversight  of  Agency  Practices 
(GAO/A1MD-96-1 10,  September  24,  1996). 

information  Security:  Serious  Weaknesses  Place  Critical  Federal  Operations  and  Assets  at 
Risk  (GAO/AIMD-98-92,  September  23,  1998);  Information  Security:  Serious  and 
Widespread  Weaknesses  Persist  at  Federal  Agencies  (GAO/AIMD-OO-295,  September  6, 
2000). 

'High-Risk  Series:  Information  Management  and  Technology  (GAO/HR-97-9,  February  1, 
1997);  High-Risk  Series:  An  Update  (GAO/HR-99-1,  January  1999);  High  Risk  Series:  An 
Update  (GAO-Ol-263,  January  2001). 

^Computer  Security:  Weaknesses  Continue  to  Place  Critical  Federal  Operations  and  Assets 
at  Risk  (GAO-01-600T,  April  5,  2001). 
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understood — an  important  step  toward  addressing  the  overall  problem. 
Nevertheless,  the  results  leave  no  doubt  that  serious,  pervasive 
weaknesses  persist.  As  auditors  increase  their  proficiency  and  the  body  of 
audit  evidence  expands,  it  is  probable  that  additional  significant 
deficiencies  will  be  identified. 

Most  of  the  audits  covered  in  our  analysis  were  performed  as  part  of 
financial  statement  audits.  At  some  agencies  with  primarily  financial 
missions,  such  as  the  Department  of  the  Treasury  and  the  Social  Security 
Administration,  these  audits  covered  the  bulk  of  mission-related 
operations.  However,  at  agencies  whose  missions  are  primarily 
nonfinancial,  such  as  DOD  and  the  Department  of  Justice,  the  audits  may 
provide  a  less  complete  picture  of  the  agency’s  overall  security  posture 
because  the  audit  objectives  focused  on  the  financial  statements  and  did 
not  include  evaluations  of  systems  supporting  nonfinancial  operations.  In 
response  to  congressional  interest,  during  fiscal  years  1999  and  2000,  we 
expanded  our  audit  focus  to  cover  a  wider  range  of  nonfinancial 
operations.  We  expect  this  trend  to  continue. 


Risks  to  Federal 
Operations  are 
Substantial 

To  fully  understand  the  significance  of  the  weaknesses  we  identified,  it  is 
necessary  to  link  them  to  the  risks  they  present  to  federal  operations  and 
assets.  Virtually  all  federal  operations  are  supported  by  automated  systems 
and  electronic  data,  and  agencies  would  find  it  difficult,  if  not  impossible, 
to  carry  out  their  missions  and  account  for  their  resources  without  these 
information  assets.  Hence,  the  degree  of  risk  caused  by  security 
weaknesses  is  extremely  high. 

The  weaknesses  identified  place  a  broad  array  of  federal  operations  and 
assets  at  risk  of  fraud,  misuse,  and  disruption.  For  example,  weaknesses  at 
the  Department  of  the  Treasury  increase  the  risk  of  fraud  associated  with 
billions  of  dollars  of  federal  payments  and  collections,  and  weaknesses  at 
DOD  increase  the  vulnerability  of  various  military  operations.  Further, 
information  security  weaknesses  place  enormous  amounts  of  confidential 
data,  ranging  from  personal  and  tax  data  to  proprietary  business 
information,  at  risk  of  inappropriate  disclosure.  For  example,  in  1999,  a 
Social  Security  Administration  employee  pled  guilty  to  unauthorized 
access  to  the  administration’s  systems.  The  related  investigation 
determined  that  the  employee  had  made  many  unauthorized  queries, 
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including  obtaining  earnings  information  for  members  of  the  local 
business  community. 

More  recent  audits  in  2001  show  that  serious  weaknesses  continue  to  be  a 
problem  and  that  critical  federal  operations  and  assets  remain  at  risk. 

•  In  August,  we  reported  that  significant  and  pervasive  weaknesses  placed 
the  Department  of  Commerce’s  systems  at  risk.  Many  of  these  systems  are 
considered  critical  to  national  security,  national  economic  security,  and 
public  health  and  safety.  Nevertheless,  we  demonstrated  that  individuals, 
both  within  and  outside  of  Commerce,  could  gain  unauthorized  access  to 
Commerce  systems  and  thereby  read,  copy,  modify,  and  delete  sensitive 
economic,  financial,  personnel,  and  confidential  business  data.  Moreover, 
intruders  could  disrupt  the  operations  of  systems  that  are  critical  to  the 
mission  of  the  department.’’  Also,  Commerce’s  inspector  general  has  also 
reported  significant  computer  security  weaknesses  in  several  of  the 
department’s  bureaus  and,  in  February  2001,  reported  multiple  material 
information  security  weaknesses  affecting  the  department’s  ability  to 
produce  accurate  data  for  financial  statements.0 

•  In  July,  we  reported  serious  weaknesses  in  systems  maintained  by  the 
Department  of  Interior’s  National  Business  Center,  a  facility  processing 
more  than  $12  billion  annually  in  payments  that  place  sensitive  financial 
and  personnel  information  at  risk  of  unauthorized  disclosure,  critical 
operations  at  risk  of  disruption,  and  assets  at  risk  of  loss.  While  Interior 
has  made  progress  in  correcting  previously  identified  weaknesses,  the 
newly  identified  weaknesses  impeded  the  center’s  ability  to  (1)  prevent 
and  detect  unauthorized  changes,  (2)  control  electronic  access  to  sensitive 
information,  and  (3)  restrict  physical  access  to  sensitive  computing  areas.10 

•  In  March,  we  reported  that  although  the  DOD’s  Department-wide 
Information  Assurance  Program  had  made  progress  in  addressing  infor¬ 
mation  assurance,  it  had  not  yet  met  its  goals  of  integrating  information 
assurance  with  mission  readiness  criteria,  enhancing  information 
assurance  capabilities  and  awareness  of  department  personnel,  improving 
monitoring  and  management  of  information  assurance  operations,  and 
establishing  a  security  management  infrastructure.  As  a  result,  DOD  was 
unable  to  accurately  determine  the  status  of  information  security  across 


information  Security:  Weaknesses  Place  Commerce  Data  and  Operations  at  Serious  Risk 
(GAO-Ol-751,  August  13,  2001). 

9Department  of  Commerce’s  Fiscal  Year  2000  Consolidated  Financial  Statements, 
Inspector  General  Audit  Report  No.  FSD-12849-1-0001. 

“Information  Security:  Weak  Controls  Place  Interior's  Financial  and  Other  Data  at 
Risk  (GAO-Ol-615,  July  3,  2001). 
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the  department,  the  progress  of  its  improvement  efforts,  or  the 
effectiveness  of  its  information  security  initiatives.11 

•  In  February,  the  Department  of  Health  and  Human  Services’  Inspector 
General  again  reported  serious  control  weaknesses  affecting  the  integrity, 
confidentiality,  and  availability  of  data  maintained  by  the  department.1" 
Most  significant  were  weaknesses  associated  with  the  department’s 
Centers  for  Medicare  and  Medicaid  Services  (CMS),  formerly  known  as  the 
Health  Care  Financing  Administration,  which  was  responsible,  during 
fiscal  year  2000,  for  processing  more  than  $200  billion  in  Medicare 
expenditures.  CMS  relies  on  extensive  data  processing  operations  at  its 
central  office  to  maintain  administrative  data,  such  as  Medicare 
enrollment,  eligibility  and  paid  claims  data,  and  to  process  all  payments 
for  managed  care.  Significant  weaknesses  were  also  reported  for  the  Food 
and  Drug  Administration  and  the  department’s  Division  of  Financial 
Operations. 

These  types  of  risks,  if  inadequately  addressed,  may  limit  the  government’s 
ability  to  take  advantage  of  new  technology  and  improve  federal  services 
through  electronic  means.  For  example,  this  past  February,  we  reported 
on  serious  control  weaknesses  in  the  Internal  Revenue  Service’s  (IRS) 
electronic  filing  system,  noting  that  failure  to  maintain  adequate  security 
could  erode  public  confidence  in  electronic  filing,  jeopardize  the  Service’s 
ability  to  meet  its  goal  of  80  percent  of  returns  being  filed  electronically  by 
2007,  and  deprive  it  of  financial  and  other  anticipated  benefits. 

Specifically,  we  found  that,  during  the  2000  tax  filing  season,  IRS  did  not 
adequately  secure  access  to  its  electronic  filing  systems  or  to  the 
electronically  transmitted  tax  return  data  those  systems  contained.  We 
demonstrated  that  unauthorized  individuals,  both  within  and  outside  IRS, 
could  have  gained  access  to  these  systems  and  viewed,  copied,  modified, 
or  deleted  taxpayer  data.  In  addition,  the  weaknesses  we  identified 
jeopardized  the  security  of  the  sensitive  business,  financial,  and  taxpayer 
data  on  other  critical  IRS  systems  that  were  connected  to  the  electronic 
filing  systems.  The  IRS  Commissioner  has  stated  that,  in  response  to 
recommendations  we  made,  IRS  completed  corrective  action  for  all  the 
critical  access  control  vulnerabilities  we  identified  before  the  2001  filing 
season  and  that,  as  a  result,  the  electronic  filing  systems  now  satisfactorily 
meet  critical  federal  security  requirements  to  protect  the  taxpayer.13  As 


“information  Security:  Progress  and  Challenges  to  an  Effective  Defense-wide  Information 
Assurance  Program  (GAO-01-307,  March  30,  2001). 

12Report  on  the  Financial  Statement  Audit  of  the  Department  of  Health  and  Human  Services 
for  Fiscal  Year  2000,  A-17-00-00014,  February  26,  2001. 

“Information  Security:  IRS  Electronic  Filing  Systems  (GAO-01-306,  February  16, 
2001). 
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part  of  our  audit  follow  up  activities,  we  plan  to  evaluate  the  effectiveness 
of  IRS’  corrective  actions. 

Addressing  weaknesses  such  as  those  we  identified  in  the  IRS’s  electronic 
filing  system  is  especially  important  in  light  of  the  administration’s  plans 
to  improve  government  services  by  expanding  use  of  the  Internet  and 
other  computer-facilitated  operations — collectively  referred  to  as 
electronic  government,  or  E-government.14  Specific  initiatives  proposed  for 
fiscal  year  2002  include  expanding  electronic  means  for  (1)  providing 
information  to  citizens,  (2)  handling  procurement-related  transactions,  (3) 
applying  for  and  managing  federal  grants,  and  (4)  providing  citizens 
information  on  the  development  of  specific  federal  rules  and  regulations. 
Anticipated  benefits  include  reducing  the  expense  and  difficulty  of  doing 
business  with  the  government,  providing  citizens  improved  access  to 
government  services,  and  making  government  more  transparent  and 
accountable.  Success  in  achieving  these  benefits  will  require  agencies  and 
others  involved  to  ensure  that  the  systems  supporting  E-government  are 
protected  from  fraud,  inappropriate  disclosures,  and  disruption.  Without 
this  protection,  confidence  in  E-government  may  be  diminished,  and  the 
related  benefits  never  fully  achieved. 


Control  Weaknesses 
Across  Agencies 
are  Similar 

Although  the  nature  of  agency  operations  and  their  related  risks  vary, 
striking  similarities  remain  in  the  specific  types  of  general  control 
weaknesses  reported  and  in  their  serious  negative  impact  on  an  agency’s 
ability  to  ensure  the  integrity,  availability,  and  appropriate  confidentiality 
of  its  computerized  operations.  Likewise,  similarities  exist  in  the 
corrective  actions  they  must  take.  The  following  sections  describe  the  six 
areas  of  general  controls  and  the  specific  weaknesses  that  were  most 
widespread  at  the  agencies  covered  by  our  analysis. 


Security  Program 
Management 

Each  organization  needs  a  set  of  management  procedures  and  an 
organizational  framework  for  identifying  and  assessing  risks,  deciding 


14The  President’s  Management  Agenda,  Fiscal  Year  2002,  www.whitehouse.gov/omb/budget. 
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what  policies  and  controls  are  needed,  periodically  evaluating  the 
effectiveness  of  these  policies  and  controls,  and  acting  to  address  any 
identified  weaknesses.  These  are  the  fundamental  activities  that  allow  an 
organization  to  manage  its  information  security  risks  in  a  cost  effective 
manner  rather  than  reacting  to  individual  problems  in  an  ad-hoc  manner 
only  after  a  violation  has  been  detected  or  an  audit  finding  reported. 

Despite  the  importance  of  this  aspect  of  an  information  security  program, 
poor  security  program  management  continues  to  be  a  widespread 
problem.  Virtually  all  the  agencies  for  which  this  aspect  of  security  was 
reviewed  had  deficiencies.  Specifically,  many  had  not  (1)  developed 
security  plans  for  major  systems  based  on  risk  (2)  documented  security 
policies,  and  (3)  implemented  a  program  for  testing  and  evaluating  the 
effectiveness  of  the  controls  they  relied  on.  As  a  result,  these  agencies 

•  were  not  fully  aware  of  the  information  security  risks  to  their  operations, 

•  had  accepted  an  unknown  level  of  risk  by  default  rather  than  consciously 
deciding  what  level  of  risk  was  tolerable, 

•  had  a  false  sense  of  security  because  they  were  relying  on  ineffective 
controls,  and 

•  could  not  make  informed  judgments  as  to  whether  they  were  spending  too 
little  or  too  much  of  their  resources  on  security. 


Access  Controls 


Access  controls  limit  or  detect  inappropriate  access  to  computer 
resources  (data,  equipment,  and  facilities),  thereby  protecting  these 
resources  against  unauthorized  modification,  loss,  and  disclosure.  Access 
controls  include  physical  protections — such  as  gates  and  guards — as  well 
as  logical  controls,  which  are  controls  built  into  software  that  require 
users  to  authenticate  themselves  (through  the  use  of  secret  passwords  or 
other  identifiers)  and  limit  the  files  and  other  resources  that  authenticated 
users  can  access  and  the  actions  that  they  execute.  Without  adequate 
access  controls,  unauthorized  individuals,  including  outside  intruders  and 
former  employees,  can  surreptitiously  read  and  copy  sensitive  data  and 
make  undetected  changes  or  deletions  for  malicious  purposes  or  personal 
gain.  Also,  authorized  users  can  intentionally  or  unintentionally  modify  or 
delete  data  or  execute  changes  that  are  outside  their  span  of  authority. 

For  access  controls  to  be  effective,  they  must  be  properly  implemented 
and  maintained.  First,  an  organization  must  analyze  the  responsibilities  of 
individual  computer  users  to  determine  what  type  of  access  (e.g.,  read, 
modify,  delete)  they  need  to  fulfill  their  responsibilities.  Then,  specific 
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control  techniques,  such  as  specialized  access  control  software,  must  be 
implemented  to  restrict  access  to  these  authorized  functions.  Such 
software  can  be  used  to  limit  a  user’s  activities  associated  with  specific 
systems  or  files  and  keep  records  of  individual  users’  actions  on  the 
computer.  Finally,  access  authorizations  and  related  controls  must  be 
maintained  and  adjusted  on  an  ongoing  basis  to  accommodate  new  and 
departing  employees,  as  well  as  changes  in  users’  responsibilities  and 
related  access  needs. 

•  Significant  access  control  weaknesses  were  reported  for  all  the  agencies 
covered  by  our  analysis,  as  shown  by  the  following  examples: 

•  Accounts  and  passwords  for  individuals  no  longer  associated  with  the 
agency  were  not  deleted  or  disabled  nor  were  they  adjusted  for  those 
whose  responsibilities,  and  thus  need  to  access  certain  files,  changed.  As  a 
result,  at  one  agency,  former  employees  and  contractors  could  still  and  in 
many  cases  did  read,  modify,  copy,  or  delete  data.  At  this  same  agency, 
even  after  160  days  of  inactivity,  7,500  out  of  30,000  users’  accounts  had 
not  been  deactivated. 

•  Users  were  not  required  to  periodically  change  their  passwords. 

•  Managers  did  not  precisely  identify  and  document  access  needs  for 
individual  users  or  groups  of  users.  Instead,  they  provided  overly  broad 
access  privileges  to  very  large  groups  of  users.  As  a  result,  far  more 
individuals  than  necessary  had  the  ability  to  browse  and,  sometimes, 
modify  or  delete  sensitive  or  critical  information.  At  one  agency,  all  1,100 
users  were  granted  access  to  sensitive  system  directories  and  settings.  At 
another  agency,  20,000  users  had  been  provided  access  to  one  system 
without  written  authorization. 

•  Use  of  default,  easily  guessed,  and  unencrypted  passwords  significantly 
increased  the  risk  of  unauthorized  access.  During  testing  at  one  agency, 
we  were  able  to  guess  many  passwords  based  on  our  knowledge  of 
commonly  used  passwords  and  were  able  to  observe  computer  users’ 
keying  in  passwords  and  then  use  those  passwords  to  obtain  “high  level” 
system  administration  privileges. 

•  Software  access  controls  were  improperly  implemented,  resulting  in 
unintended  access  or  gaps  in  access-control  coverage.  At  one  agency  data 
center,  all  users,  including  programmers  and  computer  operators,  had  the 
ability  to  read  sensitive  production  data,  increasing  the  risk  that  such 
sensitive  information  could  be  disclosed  to  unauthorized  individuals.  Also, 
at  this  agency,  certain  users  had  the  unrestricted  ability  to  transfer  system 
files  across  the  network,  increasing  the  risk  that  unauthorized  individuals 
could  gain  access  to  the  sensitive  data  or  programs. 
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To  illustrate  the  risks  associated  with  poor  authentication  and  access 
controls,  in  recent  years  we  have  begun  to  incorporate  network 
vulnerability  testing  into  our  audits  of  information  security.  Such  tests 
involve  attempting — with  agency  cooperation — to  gain  unauthorized 
access  to  sensitive  files  and  data  by  searching  for  ways  to  circumvent 
existing  controls,  often  from  remote  locations.  Our  auditors  have  been 
successful,  in  almost  every  test,  in  readily  gaining  unauthorized  access  that 
would  allow  both  internal  and  external  intruders  to  read,  modify,  or  delete 
data  for  whatever  purpose  they  had  in  mind.  Further,  user  activity  was 
inadequately  monitored.  Also,  much  of  the  activity  associated  with  our 
intrusion  testing  has  not  been  recognized  and  recorded,  and  the  problem 
reports  that  were  recorded  did  not  recognize  the  magnitude  of  our  activity 
or  the  severity  of  the  security  breaches  we  initiated. 


Software  Development 
and  Change  Controls 

Controls  over  software  development  and  changes  prevent  unauthorized 
software  programs  or  modifications  to  programs  from  being  implemented. 
Key  aspects  of  such  controls  are  ensuring  that  (1)  software  changes  are 
properly  authorized  by  the  managers  responsible  for  the  agency  program 
or  operations  that  the  application  supports,  (2)  new  and  modified  software 
programs  are  tested  and  approved  before  they  are  implemented,  and  (3) 
approved  software  programs  are  maintained  in  carefully  controlled 
libraries  to  protect  them  from  unauthorized  changes  and  ensure  that 
different  versions  are  not  misidentified. 

Such  controls  can  prevent  errors  in  software  programming  as  well  as 
malicious  efforts  to  insert  unauthorized  computer  program  code.  Without 
adequate  controls,  incompletely  tested  or  unapproved  software  can  result 
in  erroneous  data  processing  that,  depending  on  the  application,  could 
lead  to  losses  or  faulty  outcomes.  In  addition,  individuals  could 
surreptitiously  modify  software  programs  to  include  processing  steps  or 
features  that  could  later  be  exploited  for  personal  gain  or  sabotage. 

Weaknesses  in  software  program  change  controls  were  identified  for 
almost  all  the  agencies  for  which  these  controls  were  evaluated.  Examples 
of  weaknesses  in  this  area  included  the  following: 

•  Testing  procedures  were  undisciplined  and  did  not  ensure  that 

implemented  software  operated  as  intended.  For  example,  at  one  agency, 
senior  officials  authorized  some  systems  for  processing  without  testing 
access  controls  to  ensure  that  they  had  been  implemented  and  were 
operating  effectively.  At  another  agency,  documentation  was  not  retained 
to  demonstrate  user  testing  and  acceptance. 
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•  Implementation  procedures  did  not  ensure  that  only  authorized  software 
was  used.  In  particular,  procedures  did  not  ensure  that  emergency 
changes  were  subsequently  tested  and  formally  approved  for  continued 
use  and  that  implementation  of  “locally  developed”  (unauthorized) 
software  programs  was  prevented  or  detected. 

•  Agencies’  policies  and  procedures  frequently  did  not  address  the 
maintenance  and  protection  of  program  libraries. 


Segregation  of  Duties 

Segregation  of  duties  refers  to  the  policies,  procedures,  and  organizational 
structure  that  help  ensure  that  one  individual  cannot  independently 
control  all  key  aspects  of  a  process  or  computer-related  operation  and 
thereby  conduct  unauthorized  actions  or  gain  unauthorized  access  to 
assets  or  records  without  detection.  For  example,  one  computer 
programmer  should  not  be  allowed  to  independently  write,  test,  and 
approve  program  changes. 

Although  segregation  of  duties  alone  will  not  ensure  that  only  authorized 
activities  occur,  inadequate  segregation  of  duties  increases  the  risk  that 
erroneous  or  fraudulent  transactions  could  be  processed,  improper 
program  changes  implemented,  and  computer  resources  damaged  or 
destroyed.  For  example, 

•  an  individual  who  was  independently  responsible  for  authorizing, 
processing,  and  reviewing  payroll  transactions  could  inappropriately 
increase  payments  to  selected  individuals  without  detection  or 

•  a  computer  programmer  responsible  for  authorizing,  writing,  testing,  and 
distributing  program  modifications  could  either  inadvertently  or 
deliberately  implement  computer  programs  that  did  not  process 
transactions  in  accordance  with  management’s  policies  or  that  included 
malicious  code. 

Controls  to  ensure  appropriate  segregation  of  duties  consist  mainly  of 
documenting,  communicating,  and  enforcing  policies  on  group  and 
individual  responsibilities.  Segregation  of  duties  can  be  enforced  by  a 
combination  of  physical  and  logical  access  controls  and  by  effective 
supervisory  review.  We  identified  weaknesses  in  segregation  of  duties  at 
most  agencies  covered  by  our  analysis.  Common  problems  involved 
computer  programmers  and  operators  who  were  authorized  to  perform  a 
variety  of  duties,  thus  providing  them  the  ability  to  independently  modify, 
circumvent,  and  disable  system  security  features.  For  example,  at  one  data 
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center,  a  single  individual  could  independently  develop,  test,  review,  and 
approve  software  changes  for  implementation. 

Segregation  of  duties  problems  were  also  identified  related  to  transaction 
processing.  For  example,  at  one  agency,  11  staff  members  involved  with 
procurement  had  system  access  privileges  that  allowed  them  to 
individually  request,  approve,  and  record  the  receipt  of  purchased  items. 
In  addition,  9  of  the  11  staff  members  had  system  access  privileges  that 
allowed  them  to  edit  the  vendor  file,  which  could  result  in  fictitious 
vendors  being  added  to  the  file  for  fraudulent  purposes.  For  fiscal  year 
1999,  we  identified  60  purchases,  totaling  about  $300,000,  that  were 
requested,  approved,  and  receipt-recorded  by  the  same  individual. 


Operating  System 
Software  Controls 

Operating  system  software  controls  limit  and  monitor  access  to  the 
powerful  programs  and  sensitive  files  associated  with  the  computer 
systems  operation.  Generally,  one  set  of  system  software  is  used  to 
support  and  control  a  variety  of  applications  that  may  run  on  the  same 
computer  hardware.  System  software  helps  control  and  coordinate  the 
input,  processing,  output,  and  data  storage  associated  with  all  applications 
that  run  on  the  system.  Some  system  software  can  change  data  and 
program  code  on  files  without  leaving  an  audit  trail  or  can  be  used  to 
modify  or  delete  audit  trails.  Examples  of  system  software  include  the 
operating  system,  system  utilities,  program  library  systems,  file 
maintenance  software,  security  software,  data  communications  systems, 
and  database  management  systems. 

Controls  over  access  to  and  modification  of  system  software  are  essential 
in  providing  reasonable  assurance  that  operating  system-based  security 
controls  are  not  compromised  and  that  the  system  will  not  be  impaired.  If 
controls  in  this  area  are  inadequate,  unauthorized  individuals  might  use 
system  software  to  circumvent  security  controls  to  read,  modify,  or  delete 
critical  or  sensitive  information  and  programs.  Also,  authorized  users  of 
the  system  may  gain  unauthorized  privileges  to  conduct  unauthorized 
actions  or  to  circumvent  edits  and  other  controls  built  into  application 
programs.  Such  weaknesses  seriously  diminish  the  reliability  of 
information  produced  by  all  applications  supported  by  the  computer 
system  and  increase  the  risk  of  fraud,  sabotage,  and  inappropriate 
disclosure.  Further,  system  software  programmers  are  often  more 
technically  proficient  than  other  data  processing  personnel  and,  thus,  have 
a  greater  ability  to  perform  unauthorized  actions  if  controls  in  this  area  are 
weak. 


Page  14 


GAO-01-1132T 


The  control  concerns  for  system  software  are  similar  to  the  access  control 
issues  and  software  program  change  control  issues  discussed  earlier. 
However,  because  of  the  high  level  of  risk  associated  with  system  software 
activities,  most  entities  have  a  separate  set  of  control  procedures  that 
apply  to  them.  Weaknesses  were  identified  at  each  agency  for  which 
operating  system  controls  were  reviewed.  A  common  type  of  problem 
reported  was  insufficiently  restricted  access  that  made  it  possible  for 
knowledgeable  individuals  to  disable  or  circumvent  controls  in  a  variety  of 
ways.  For  example,  at  one  agency,  system  support  personnel  had  the 
ability  to  change  data  in  the  system  audit  log.  As  a  result,  they  could  have 
engaged  in  a  wide  array  of  inappropriate  and  unauthorized  activity  and 
could  have  subsequently  deleted  related  segments  of  the  audit  log,  thus 
diminishing  the  likelihood  that  their  actions  would  be  detected. 

Further,  pervasive  vulnerabilities  in  network  configuration  exposed 
agency  systems  to  attack.  These  vulnerabilities  stemmed  from  agencies’ 
failure  to  (1)  install  and  maintain  effective  perimeter  security,  such  as 
firewalls  and  screening  routers,  (2)  implement  current  software  patches, 
and  (3)  protect  against  commonly  known  methods  of  attack. 


Service  Continuity 
Controls 

Finally,  service  continuity  controls  ensure  that  when  unexpected  events 
occur,  critical  operations  will  continue  without  undue  interruption  and 
that  crucial,  sensitive  data  are  protected.  For  this  reason,  an  agency  should 
have  (1)  procedures  in  place  to  protect  information  resources  and 
minimize  the  risk  of  unplanned  interruptions  and  (2)  a  plan  to  recover 
critical  operations  should  interruptions  occur.  These  plans  should 
consider  the  activities  performed  at  general  support  facilities,  such  as  data 
processing  centers,  as  well  as  the  activities  performed  by  users  of  specific 
applications.  To  determine  whether  recovery  plans  will  work  as  intended, 
they  should  be  tested  periodically  in  disaster  simulation  exercises. 

Losing  the  capability  to  process,  retrieve,  and  protect  electronically 
maintained  information  can  significantly  affect  an  agency’s  ability  to 
accomplish  its  mission.  If  controls  are  inadequate,  even  relatively  minor 
interruptions  can  result  in  lost  or  incorrectly  processed  data,  which  can 
cause  financial  losses,  expensive  recovery  efforts,  and  inaccurate  or 
incomplete  financial  or  management  information.  Controls  to  ensure 
service  continuity  should  address  the  entire  range  of  potential  disruptions. 
These  may  include  relatively  minor  interruptions,  such  as  temporary 
power  failures  or  accidental  loss  or  erasure  of  files,  as  well  as  major 
disasters,  such  as  fires  or  natural  disasters,  that  would  require 


Page  15 


GAO-01-1132T 


reestablishing  operations  at  a  remote  location.  Service  continuity  controls 
include  (1)  taking  steps,  such  as  routinely  making  backup  copies  of  files, 
to  prevent  and  minimize  potential  damage  and  interruption,  (2)  developing 
and  documenting  a  comprehensive  contingency  plan,  and  (3)  periodically 
testing  the  contingency  plan  and  adjusting  it  as  appropriate. 

Service  continuity  control  weaknesses  were  reported  for  most  of  the 
agencies  covered  by  our  analysis.  Examples  of  weaknesses  included  the 
following: 

•  Plans  were  incomplete  because  operations  and  supporting  resources  had 
not  been  fully  analyzed  to  determine  which  were  the  most  critical  and 
would  need  to  be  resumed  as  soon  as  possible  should  a  disruption  occur. 

•  Disaster  recovery  plans  were  not  fully  tested  to  identify  their  weaknesses. 
For  example,  periodic  walkthroughs  or  unannounced  tests  of  the  disaster 
recovery  plan  had  not  been  performed.  Conducting  these  types  of  tests 
provides  a  scenario  more  likely  to  be  encountered  in  the  event  of  an  actual 
disaster. 


Security  Program 
Management  Can  Be 
Improved  With  New 
Evaluation  and 
Reporting  Requirements 

The  audit  reports  cited  in  this  statement  and  in  our  prior  information 
security  reports  include  many  recommendations  to  individual  agencies 
that  address  specific  weaknesses  in  the  areas  I  have  just  described.  It  is 
each  individual  agency’s  responsibility  to  ensure  that  these 
recommendations  are  implemented.  Agencies  have  taken  steps  to  address 
problems,  and  many  have  remedial  efforts  underway.  However,  these 
efforts  will  not  be  fully  effective  and  lasting  unless  they  are  supported  by  a 
strong  agencywide  security  management  framework. 

Establishing  such  a  management  framework  requires  that  agencies  take  a 
comprehensive  approach  that  involves  both  (1)  senior  agency  program 
managers  who  understand  which  aspects  of  their  missions  are  the  most 
critical  and  sensitive  and  (2)  technical  experts  who  know  the  agencies’ 
systems  and  can  suggest  appropriate  technical  security  control  techniques. 
We  studied  the  practices  of  organizations  with  superior  security  programs 
and  summarized  our  findings  in  a  May  1998  executive  guide  entitled 
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Information  Security  Management:  Learning  From  Leading  Organizations 
(GAO/AIMD-98-68).  Our  study  found  that  these  organizations  managed 
their  information  security  risks  through  a  cycle  of  risk  management 
activities  that  included 

•  assessing  risks  and  determining  protection  needs, 

•  selecting  and  implementing  cost-effective  policies  and  controls  to  meet 
these  needs, 

•  promoting  awareness  of  policies  and  controls  and  of  the  risks  that 
prompted  their  adoption  among  those  responsible  for  complying  with 
them,  and 

•  implementing  a  program  of  routine  tests  and  examinations  for  evaluating 
the  effectiveness  of  policies  and  related  controls  and  reporting  the 
resulting  conclusions  to  those  who  can  take  appropriate  corrective  action. 

In  addition,  a  strong,  centralized  focal  point  can  help  ensure  that  the  major 
elements  of  the  risk  management  cycle  are  carried  out  and  serve  as  a 
communications  link  among  organizational  units.  Such  coordination  is 
especially  important  in  today’s  highly  networked  computing  environments. 

Implementing  this  cycle  of  risk  management  activities  is  the  key  to 
ensuring  that  information  security  risks  are  adequately  considered  and 
addressed  on  an  ongoing,  agencywide  basis.  Included  within  it  are  several 
steps  that  agencies  can  take  immediately.  Specifically,  they  can  (1) 
increase  awareness,  (2)  ensure  that  existing  controls  are  operating 
effectively,  (3)  ensure  that  software  patches  are  up-to-date,  (4)  use 
automated  scanning  and  testing  tools  to  quickly  identify  problems,  (5) 
propagate  their  best  practices,  and  (6)  ensure  that  their  most  common 
vulnerabilities  are  addressed.  Although  none  of  these  actions  alone  will 
ensure  good  security,  they  take  advantage  of  readily  available  information 
and  tools  and,  thus,  do  not  involve  significant  new  resources.  As  a  result, 
they  are  steps  that  can  be  made  without  delay. 

Due  to  concerns  about  the  repeated  reports  of  computer  security 
weaknesses  at  federal  agencies,  in  2000,  you,  Mr.  Chairman,  and  Senator 
Thompson  introduced  government  information  security  reform  legislation 
to  require  agencies  to  implement  the  activities  I  have  just  described.  This 
legislation  was  enacted  in  late  2000  as  part  of  the  fiscal  year  2001  National 
Defense  Authorization  Act.  In  addition  to  requiring  security  program 
management  improvements,  the  new  provisions  require  that  both 
management  and  agency  inspectors  general  annually  evaluate  agency 
information  security  programs.  The  Office  of  Management  and  Budget 
(OMB)  has  asked  agencies  to  submit  the  results  of  their  program  reviews 
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and  the  results  of  their  inspector  general’s  independent  evaluation  this 
week.  In  accordance  with  the  new  law,  OMB  plans  to  develop  a  summary 
report  to  the  Congress  later  this  year.  This  summary  report,  and  the 
subordinate  agency  reports,  should  provide  a  more  complete  picture  of  the 
status  of  federal  information  security  than  has  previously  been  available, 
thereby  providing  the  Congress  and  OMB  with  an  improved  means  of 
overseeing  agency  progress  and  identifying  areas  needing  improvement. 

This  annual  evaluation  and  reporting  process  is  an  important  mechanism, 
previously  missing,  for  holding  agencies  accountable  for  implementing 
effective  security  and  managing  the  problem  from  a  governmentwide 
perspective.  We  are  currently  reviewing  agency  implementation  of  the  new 
provisions. 


Critical  Infrastructure 
Protection  Efforts 
Supplement  Traditional 
Information  Security 

Beyond  the  risks  of  computer-based  attacks  on  critical  federal  operations, 
the  federal  government  has  begun  to  address  the  risks  of  computer-based 
attacks  on  our  nation’s  computer-dependent  critical  infrastructures,  such 
as  electric  power  distribution,  telecommunications,  and  essential 
government  services.  Although  these  efforts  pertain  to  many  traditional 
computer  security  issues,  such  as  maintaining  the  integrity,  confidentiality, 
and  availability  of  important  computerized  operations,  they  focus 
primarily  on  risks  of  national  importance  and  encompass  efforts  to  ensure 
the  security  of  privately  controlled  critical  infrastructures. 

The  recent  history  of  federal  initiatives  to  address  these  computer-based 
risks  includes  the  following. 

•  In  June  1995,  a  Critical  Infrastructure  Working  Group,  led  by  the  Attorney 
General,  was  formed  to  (1)  identify  critical  infrastructures  and  assess  the 
scope  and  nature  of  threats  to  them,  (2)  survey  existing  government 
mechanisms  for  addressing  these  threats,  and  (3)  propose  options  for  a 
full-time  group  to  consider  long-term  government  responses  to  threats  to 
critical  infrastructures.  The  working  group  identified  critical 
infrastructures,  characterized  threats  to  them,  and  recommended  creating 
a  commission  to  investigate  such  issues. 
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•  In  February  1996,  the  National  Defense  Authorization  Act  required  the 
executive  branch  to  provide  a  report  to  the  Congress  on  the  policies  and 
plans  for  developing  capabilities  to  defend  against  computer-based 
attacks,  such  as  warnings  of  strategic  attacks  against  the  national 
information  infrastructure.16  Later  that  year,  the  Permanent  Subcommittee 
on  Investigations,  Senate  Committee  on  Governmental  Affairs,  began  to 
hold  hearings  on  security  in  cyberspace.  Since  then,  congressional  interest 
in  protecting  national  infrastructures  has  remained  strong. 

•  In  July  1996,  in  response  to  the  recommendation  of  the  1995  working 
group,  the  President's  Commission  on  Critical  Infrastructure  Protection 
was  established  to  further  investigate  the  nation's  vulnerability  to  both 
cyber  and  physical  threats. 

•  In  October  1997,  the  President’s  Commission  issued  its  report,16  which 
described  the  potentially  devastating  implications  of  poor  information 
security  from  a  national  perspective. 

In  response  to  the  commission’s  report,  the  President  initiated  actions  to 
implement  a  cooperative  public/private  approach  to  protecting  the 
nation’s  critical  infrastructures  by  issuing  PDD  63  in  May  1998.  The 
directive  called  for  a  range  of  activities  to  improve  federal  agency  security 
programs,  establish  a  partnership  between  the  government  and  private 
sector,  and  improve  the  nation’s  ability  to  detect  and  respond  to  serious 
attacks.  The  directive  established  critical  infrastructure  protection  as  a 
national  goal,  stating  that,  by  the  close  of  2000,  the  United  States  was  to 
have  achieved  an  initial  operating  capability  and,  no  later  than  2003,  the 
capability  to  protect  the  nation's  critical  infrastructures  from  intentional 
destructive  acts. 

To  accomplish  its  goals,  PDD-63  designated  the  National  Coordinator  for 
Security,  Infrastructure  Protection,  and  Counter-Terrorism,  who  reports  to 
the  Assistant  to  the  President  for  National  Security  Affairs,  to  oversee  the 
development  and  implementation  of  national  policy  in  this  area.  The 
directive  also  established  the  National  Plan  Coordination  staff,  which 
became  the  Critical  Infrastructure  Assurance  Office,  an  interagency  office 
housed  in  the  Department  of  Commerce  responsible  for  planning 
infrastructure  protection  efforts.  It  further  authorized  the  FBI  to  expand 
its  National  Infrastructure  Protection  Center  (NIPC)  and  directed  the 
NIPC  to  gather  information  on  threats  and  coordinate  the  federal 
government’s  response  to  incidents  affecting  infrastructures. 


16National  Defense  Authorization  Act  of  Fiscal  Year  1996,  Pub.  L.  104-106,  Div.  A,  Title  X, 
Subtitle  E,  Section  1063. 

16  Critical  Foundations:  Protecting  America's  Infrastructures,  the  Report  of  the  President's 
Commission  on  Critical  Infrastructure  Protection,  October  1997. 
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In  addition,  the  directive  designated  “lead  agencies”  to  work  with  private- 
sector  and  government  entities  in  each  of  eight  infrastructure  sectors  and 
five  special  function  areas.  For  example,  the  Department  of  the  Treasury  is 
responsible  for  working  with  the  banking  and  finance  sector,  and  the 
Department  of  Energy  is  responsible  for  working  with  the  electric  power 
industry.  Similarly,  regarding  special  function  areas,  DOD  is  responsible 
for  national  defense,  and  the  Department  of  State  is  responsible  for  foreign 
affairs.  To  facilitate  private-sector  participation,  PDD  63  encouraged  the 
creation  of  Information  Sharing  and  Analysis  Centers  (ISACs)  that  could 
serve  as  mechanisms  for  gathering,  analyzing,  and  appropriately  sanitizing 
and  disseminating  information  to  and  from  infrastructure  sectors  and  the 
NIPC.  Figure  1  depicts  the  entities  with  critical  infrastructure  protection 
responsibilities  as  outlined  by  PDD  63. 
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Figure  1:  Critical  Infrastructure  Protection  Responsibilities  as  Outlined  by  PPD  63 


Source:  The  Critical  Infrastructure  Assurance  Office. 
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Shortly  after  the  initial  issuance  of  PDD  63,  we  reported  on  the  importance 
of  developing  a  governmentwide  strategy  that  clearly  defines  and 
coordinates  the  roles  of  new  and  existing  federal  entities  to  ensure 
governmentwide  cooperation  and  support  for  PDD  63. 17  Specifically,  we 
noted  that  several  of  PDD  63’s  provisions  appeared  to  overlap  with 
existing  requirements  prescribed  in  the  Paperwork  Reduction  Act;  OMB 
Circular  A-130,  Appendix  III;  the  Computer  Security  Act;  and  the  Clinger- 
Cohen  Act.  In  addition,  some  of  the  directive’s  objectives  were  similar  to 
objectives  being  addressed  by  other  federal  entities,  such  as  developing  a 
federal  incident  handling  capability,  which  was  then  in  the  process  of 
being  addressed  by  the  National  Institute  of  Standards  and  Technology 
and  the  federal  Chief  Information  Officers  Council. lf>  At  that  time,  we 
recommended  that  OMB,  which,  by  law,  is  responsible  for  overseeing 
federal  information  security,  and  the  Assistant  to  the  President  for 
National  Security  Affairs  ensure  such  coordination. 

In  July  2000,  we  reported  that  a  variety  of  activities  had  been  undertaken 
in  response  to  PDD  63,  including  developing  and  reviewing  individual 
agency  critical  infrastructure  protection  plans,  identifying  and  evaluating 
information  security  standards  and  best  practices,  and  the  White  House’s 
issuing  its  National  Plan  for  Information  Systems  Protection 19  as  a  first 
major  element  of  a  more  comprehensive  strategy  to  be  developed/0  At  that 
time,  we  reiterated  the  importance  of  defining  and  clarifying 
organizational  roles  and  responsibilities,  noting  that  numerous  federal 
entities  were  collecting,  analyzing,  and  disseminating  data  or  guidance  on 
computer  security  vulnerabilities  and  incidents  and  that  clarification 
would  help  ensure  a  common  understanding  of  (1)  how  the  activities  of 
these  many  organizations  interrelate,  (2)  who  should  be  held  accountable 
for  their  success  or  failure,  and  (3)  whether  such  activities  will  effectively 
and  efficiently  support  national  goals. 

The  administration  is  currently  reviewing  the  federal  strategy  for  critical 
infrastructure  protection  that  was  originally  outlined  in  PDD  63.  On  May  9, 
the  White  House  issued  a  statement  saying  that  it  was  working  with 
federal  agencies  and  private  industry  to  prepare  a  new  version  of  a 
“national  plan  for  cyberspace  security  and  critical  infrastructure 


17 Information  Security:  Serious  Weaknesses  Place  Critical  Federal  Operations  and  Assets  at 
Risk  (GAO/AIMD-98-92,  September  23,  1998). 

18The  federal  incident  handling  program  is  now  operated  by  the  Federal  Computer  Incident 
Response  Center  at  the  General  Services  Administration. 

19 Defending  America’s  Cyberspace:  National  Plan  for  Information  Systems  Protection: 
Version  1.0:  An  Invitation  to  a  Dialogue,  The  White  House,  January  7,  2000. 

20 Critical  Infrastructure  Protection:  Challenges  to  Building  a  Comprehensive  Strategy  for 
Information  Sharing  and  Coordination  (GAO/T-AIMD-OO-268,  July  26,  2000). 
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protection”  and  reviewing  how  the  government  is  organized  to  deal  with 
information  security  issues. 


NIPC  Progress  Has 
Been  Mixed 

A  key  element  of  the  strategy  outlined  in  PPD  63  was  the  establishment  of 
the  NIPC  as  “a  national  focal  point”  for  gathering  information  on  threats 
and  facilitating  the  federal  government’s  response  to  computer-based 
incidents.  Specifically,  the  directive  assigned  the  NIPC  the  responsibility 
for  providing  comprehensive  analyses  on  threats,  vulnerabilities,  and 
attacks;  issuing  timely  warnings  on  threats  and  attacks;  facilitating  and 
coordinating  the  government’s  response  to  computer-based  incidents; 
providing  law  enforcement  investigation  and  response,  monitoring 
reconstitution  of  minimum  required  capabilities  after  an  infrastructure 
attack;  and  promoting  outreach  and  information  sharing. 

In  April,  we  reported  on  the  NIPC’s  progress  in  developing  national 
capabilities  for  analyzing  threat  and  vulnerability  data  and  issuing 
warnings,  responding  to  attacks,  and  developing  information-sharing 
relationships  with  government  and  private-sector  entities.21  Overall,  we 
found  that  while  progress  in  developing  these  capabilities  was  mixed,  the 
NIPC  had  initiated  a  variety  of  critical  infrastructure  protection  efforts  that 
had  laid  a  foundation  for  future  governmentwide  efforts.  In  addition,  the 
NIPC  had  provided  valuable  support  and  coordination  related  to 
investigating  and  otherwise  responding  to  attacks  on  computers.  However, 
at  the  close  of  our  review,  the  analytical  and  information-sharing 
capabilities  that  PDD  63  asserted  are  needed  to  protect  the  nation’s  critical 
infrastructures  had  not  yet  been  achieved,  and  the  NIPC  had  developed 
only  limited  warning  capabilities.  Developing  such  capabilities  is  a 
formidable  task  that  experts  say  will  take  an  intense  interagency  effort. 


Multiple  Factors  Have  Limited 
Development  of  Analysis 
and  Warning  Capabilities 

PDD  63  assigns  the  NIPC  responsibility  for  developing  analytical 
capabilities  to  provide  comprehensive  information  on  changes  in  threat 
conditions  and  newly  identified  system  vulnerabilities,  as  well  as  timely 


21  Critical  Infrastructure  Protection:  Significant  Challenges  in  Developing  National 
Capabilities  (GAO-Ol-323,  April  25,  2001). 
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warnings  of  potential  and  actual  attacks.  This  responsibility  requires 
obtaining  and  analyzing  intelligence,  law  enforcement,  and  other 
information  to  identify  patterns  that  may  signal  that  an  attack  is  underway 
or  imminent. 

Since  its  establishment  in  1998,  the  NIPC  has  issued  a  variety  of  analytical 
products,  most  of  which  have  been  tactical  analyses  pertaining  to 
individual  incidents.  These  analyses  have  included  (1)  situation  reports 
related  to  law  enforcement  investigations,  including  denial-of-service 
attacks  that  affected  numerous  Internet-based  entities,  such  as  eBay  and 
Yahoo,  and  (2)  analytical  support  of  a  counterintelligence  investigation.  In 
addition,  the  NIPC  has  issued  a  variety  of  publications,  most  of  which 
were  compilations  of  information  previously  reported  by  others  with  some 
NIPC  analysis. 

The  use  of  strategic  analysis  to  determine  the  potential  broader 
implications  of  individual  incidents  has  been  limited.  Such  analysis  looks 
beyond  one  specific  incident  to  consider  a  broader  set  of  incidents  or 
implications  that  may  indicate  a  potential  threat  of  national  importance. 
Identifying  such  threats  assists  in  proactively  managing  risk,  including 
evaluating  the  risks  associated  with  possible  future  incidents  and 
effectively  mitigating  the  impact  of  such  incidents. 

Three  factors  have  hindered  the  NIPC’s  ability  to  develop  strategic 
analytical  capabilities. 

•  First,  there  is  no  generally  accepted  methodology  for  analyzing  strategic 
cyber-based  threats.  For  example,  there  is  no  standard  terminology,  no 
standard  set  of  factors  to  consider,  and  no  established  thresholds  for 
determining  the  sophistication  of  attack  techniques.  According  to  officials 
in  the  intelligence  and  national  security  community,  developing  such  a 
methodology  would  require  an  intense  interagency  effort  and  dedication  of 
resources. 

•  Second,  the  NIPC  has  sustained  prolonged  leadership  vacancies  and  does 
not  have  adequate  staff  expertise,  in  part  because  other  federal  agencies 
have  not  provided  the  originally  anticipated  number  of  detailees.  For 
example,  at  the  close  of  our  review  in  February,  the  position  of  Chief  of 
the  Analysis  and  Warning  Section,  which  was  to  be  filled  by  the  Central 
Intelligence  Agency,  had  been  vacant  for  about  half  of  the  NIPC’s  3-year 
existence.  In  addition,  the  NIPC  had  been  operating  with  only  13  of  the  24 
analysts  that  NIPC  officials  estimate  are  needed  to  develop  analytical 
capabilities. 

•  Third,  the  NIPC  did  not  have  industry-specific  data  on  factors  such  as 
critical  system  components,  known  vulnerabilities,  and  interdependencies. 
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Under  PDD  63,  such  information  is  to  be  developed  for  each  of  eight 
industry  segments  by  industry  representatives  and  the  designated  federal 
lead  agencies.  However,  at  the  close  of  our  work  in  February,  only  three 
industry  assessments  had  been  partially  completed,  and  none  had  been 
provided  to  the  NIPC. 

To  provide  a  warning  capability,  the  NIPC  established  a  Watch  and 
Warning  Unit  that  monitors  the  Internet  and  other  media  24  hours  a  day  to 
identify  reports  of  computer-based  attacks.  As  of  February,  the  unit  had 
issued  81  warnings  and  related  products  since  1998,  many  of  which  were 
posted  on  the  NIPC’s  Internet  web  site.  While  some  warnings  were  issued 
in  time  to  avert  damage,  most  of  the  warnings,  especially  those  related  to 
viruses,  pertained  to  attacks  underway.  The  NIPC’s  ability  to  issue 
warnings  promptly  is  impeded  because  of  (1)  a  lack  of  a  comprehensive 
governmentwide  or  nationwide  framework  for  promptly  obtaining  and 
analyzing  information  on  imminent  attacks,  (2)  a  shortage  of  skilled  staff, 
(3)  the  need  to  ensure  that  the  NIPC  does  not  raise  undue  alarm  for 
insignificant  incidents,  and  (4)  the  need  to  ensure  that  sensitive 
information  is  protected,  especially  when  such  information  pertains  to  law 
enforcement  investigations  underway. 

However,  I  want  to  emphasize  a  more  fundamental  impediment  in  the 
NIPC’s  progress  that  echoes  our  previously  reported  concerns  about  the 
need  for  a  more  clearly  defined  critical  infrastructure  protection  strategy. 
Specifically,  evaluating  its  progress  in  developing  analysis  and  warning 
capabilities  was  difficult  because  the  entities  involved  in  the  government’s 
critical  infrastructure  protection  efforts  did  not  share  a  common 
interpretation  of  the  NIPC’s  roles  and  responsibilities.  Further,  the 
relationships  between  the  Center,  the  FBI,  and  the  National  Coordinator 
for  Security,  Infrastructure  Protection,  and  Counter-Terrorism  at  the 
National  Security  Council  were  unclear  regarding  who  has  direct  authority 
for  setting  NIPC  priorities  and  procedures  and  providing  NIPC  oversight. 
In  addition,  its  own  plans  for  further  developing  its  analytical  and  warning 
capabilities  were  fragmented  and  incomplete.  As  a  result,  no  specific 
priorities,  milestones,  or  program  performance  measures  existed  to  guide 
NIPC’s  actions  or  provide  a  basis  for  evaluating  its  progress. 

In  our  April  report,  we  recognized  that  the  administration  was  reviewing 
the  government’s  infrastructure  protection  strategy  and  recommended 
that,  as  the  administration  proceeds,  the  Assistant  to  the  President  for 
National  Security  Affairs,  in  coordination  with  pertinent  executive 
agencies, 
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•  establish  a  capability  for  strategically  analyzing  computer-based  threats, 
including  developing  related  methodology,  acquiring  staff  expertise,  and 
obtaining  infrastructure  data, 

•  require  development  of  a  comprehensive  data  collection  and  analysis 
framework  and  ensure  that  national  watch  and  warning  operations  for 
computer-based  attacks  are  supported  by  sufficient  staff  and  resources, 
and 

•  clearly  define  the  role  of  the  NIPC  in  relation  to  other  government  and 
private-sector  entities. 

In  commenting  on  a  draft  of  the  report,  the  Special  Assistant  to  the 
President  and  Senior  Director  for  Legislative  Affairs  at  the  National 
Security  Council  stated  that  our  report  highlighted  the  need  for  a  review  of 
the  roles  and  responsibilities  of  the  federal  agencies  involved  in  U.S. 
critical  infrastructure  protection  support.  In  addition,  he  stated  that  the 
administration  will  consider  our  recommendations  as  it  reviews  federal 
cyber  activities  to  determine  how  the  critical  infrastructure  protection 
function  should  be  organized.  The  Special  Assistant  to  the  President  added 
that  some  functions  might  be  better  accomplished  by  distributing  the  tasks 
across  several  existing  federal  agencies,  creating  a  “virtual  analysis  center” 
that  would  provide  not  only  a  govemmentwide  analysis  and  reporting 
capability,  but  that  could  also  support  rapid  dissemination  of  cyber  threat 
and  warning  information. 


NIPC  Coordination  and 
Technical  Support  Have 
Benefited  Investigative 
and  Response  Capabilities 

PDD  63  directed  the  NIPC  to  provide  the  principal  means  of  facilitating 
and  coordinating  the  federal  government’s  response  to  computer-based 
incidents.  In  response,  the  NIPC  undertook  efforts  in  two  major  areas: 
providing  coordination  and  technical  support  to  FBI  investigations  and 
establishing  crisis-management  capabilities. 

First,  the  NIPC  provided  valuable  coordination  and  technical  support  to 
FBI  field  offices,  that  established  special  squads  and  teams  and  one 
regional  task  force  in  its  field  offices  to  address  the  growing  number  of 
computer  crime  cases.  The  NIPC  supported  these  investigative  efforts  by 
(1)  coordinating  investigations  among  FBI  field  offices,  thereby  bringing  a 
national  perspective  to  individual  cases,  (2)  providing  technical  support  in 
the  form  of  analyses,  expert  assistance  for  interviews,  and  tools  for 
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analyzing  and  mitigating  computer-based  attacks,  and  (3)  providing 
administrative  support  to  NIPC  field  agents.  For  example,  the  NIPC 
produced  over  250  written  technical  reports  during  1999  and  2000, 
developed  analytical  tools  to  assist  in  investigating  and  mitigating 
computer-based  attacks,  and  managed  the  procurement  and  installation  of 
hardware  and  software  tools  for  the  NIPC  field  squads  and  teams. 

While  these  efforts  benefited  investigative  efforts,  FBI  and  NIPC  officials 
told  us  that  increased  computer  capacity  and  data  transmission 
capabilities  would  improve  their  ability  to  promptly  analyze  the  extremely 
large  amounts  of  data  that  are  associated  with  some  cases.  In  addition,  FBI 
field  offices  were  not  yet  providing  the  NIPC  with  the  comprehensive 
information  that  NIPC  officials  say  is  needed  to  facilitate  prompt 
identification  and  response  to  cyber  incidents.  According  to  field  office 
officials,  some  information  on  unusual  or  suspicious  computer-based 
activity  had  not  been  reported  because  it  did  not  merit  opening  a  case  and 
was  deemed  to  be  insignificant.  To  address  this  problem,  the  NIPC 
established  new  performance  measures  related  to  reporting. 

Second,  the  NIPC  developed  crisis-management  capabilities  to  support  a 
multiagency  response  to  the  most  serious  incidents  from  the  FBI’s 
Washington,  D.C.,  Strategic  Information  Operations  Center.  From  1998 
through  early  2001,  seven  crisis-action  teams  had  been  activated  to 
address  potentially  serious  incidents  and  events,  such  as  the  Melissa  virus 
in  1999  and  the  days  surrounding  the  transition  to  the  year  2000,  and 
related  procedures  have  been  formalized.  In  addition,  the  NIPC 
coordinated  the  development  of  an  emergency  law  enforcement  plan  to 
guide  the  response  of  federal,  state,  and  local  entities. 

To  help  ensure  an  adequate  response  to  the  growing  number  of  computer 
crimes,  we  recommended  in  our  April  report  that  the  Attorney  General, 
the  FBI  Director,  and  the  NIPC  Director  take  steps  to  (1)  ensure  that  the 
NIPC  has  access  to  needed  computer  and  communications  resources  and 
(2)  monitor  the  implementation  of  new  performance  measures  to  ensure 
that  field  offices  fully  report  information  on  potential  computer  crimes  to 
the  NIPC. 
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Progress  in  Establishing 
Information-Sharing 
Relationships 
Has  Been  Mixed 

Information  sharing  and  coordination  among  private-sector  and 
government  organizations  are  essential  for  thoroughly  understanding 
cyber  threats  and  quickly  identifying  and  mitigating  attacks.  However,  as 
we  testified  in  July  2000,“  establishing  the  trusted  relationships  and 
information-sharing  protocols  necessary  to  support  such  coordination  can 
be  difficult. 

NIPC’s  success  in  this  area  has  been  mixed.  For  example,  the  InfraGard 
Program,  which  provides  the  FBI  and  the  NIPC  with  a  means  of  securely 
sharing  information  with  individual  companies,  was  viewed  by  the  NIPC  as 
an  important  element  in  building  trust  relationships  with  the  private 
sector.  As  of  January  2001,  the  InfraGard  program  had  grown  to  about  500 
member  organizations,  and,  recently,  NIPC  officials  told  us  that  InfraGard 
membership  has  continued  to  increase.  However,  of  the  four  information 
sharing  and  analysis  centers  that  had  been  established  as  focal  points  for 
infrastructure  sectors,  a  two-way,  information-sharing  partnership  with 
the  NIPC  had  developed  with  only  one — the  electric  power  industry.  The 
NIPC’s  dealings  with  two  of  the  other  three  centers  primarily  consisted  of 
providing  information  to  the  centers  without  receiving  any  in  return,  and 
no  procedures  had  been  developed  for  more  interactive  information 
sharing.  The  NIPC’s  information-sharing  relationship  with  the  fourth 
center  was  not  covered  by  our  review  because  the  center  was  not 
established  until  mid-January  2001,  shortly  before  the  close  of  our  work. 
However,  according  to  NIPC  and  ISAC  officials,  the  relationships  have 
improved  since  our  report. 

Similarly,  the  NIPC  and  the  FBI  made  only  limited  progress  in  developing  a 
database  of  the  most  important  components  of  the  nation’s  critical 
infrastructures — an  effort  referred  to  as  the  Key  Asset  Initiative.  Although 
FBI  field  offices  had  identified  over  5,000  key  assets,  at  the  time  of  our 
review,  the  entities  that  own  or  control  the  assets  generally  had  not  been 
involved  in  identifying  them.  As  a  result,  the  key  assets  recorded  may  not 
be  the  ones  that  infrastructure  owners  consider  the  most  important. 


22 Critical  Infrastructure  Protection:  Challenges  to  Building  a  Comprehensive  Strategy  for 
Information  Sharing  and  Cooperation  (GAO/T-AIMD-OO-268,  July  26,  2000).  Testimony 
before  the  Subcommittee  on  Government  Management,  Information  and  Technology, 
Committee  on  Government  Reform,  House  of  Representatives. 
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Further,  the  Key  Asset  Initiative  was  not  being  coordinated  with  other 
similar  federal  efforts  at  DOD  and  the  Department  of  Commerce. 

In  addition,  the  NIPC  and  other  government  entities  had  not  developed 
fully  productive  information-sharing  and  cooperative  relationships.  For 
example,  federal  agencies  have  not  routinely  reported  incident 
information  to  the  NIPC,  at  least  in  part  because  guidance  provided  by  the 
federal  Chief  Information  Officers  Council,  which  is  chaired  by  the  Office 
of  Management  and  Budget,  directs  agencies  to  report  such  information  to 
the  General  Services  Administration’s  Federal  Computer  Incident 
Response  Center.  Further,  NIPC  and  Defense  officials  agreed  that  their 
information-sharing  procedures  needed  improvement,  noting  that 
protocols  for  reciprocal  exchanges  of  information  had  not  been 
established.  In  addition,  the  expertise  of  the  U.S.  Secret  Service  regarding 
computer  crime  had  not  been  integrated  into  NIPC  efforts.  According  to 
the  NIPC  director,  the  relationship  between  the  NIPC  and  other 
government  entities  has  improved  since  our  review.  In  recent  testimony, 
officials  from  Federal  Computer  Incident  Response  Center  and  the  U.S. 
Secret  Service  discussed  the  collaborative  and  cooperative  relationships 
between  their  agencies  and  the  NIPC. 

The  NIPC  has  been  more  successful  in  providing  training  on  investigating 
computer  crime  to  government  entities,  which  is  an  effort  that  it  considers 
an  important  component  of  its  outreach  efforts.  From  1998  through  2000, 
the  NIPC  trained  about  300  individuals  from  federal,  state,  local,  and 
international  entities  other  than  the  FBI.  In  addition,  the  NIPC  has  advised 
several  foreign  governments  that  are  establishing  centers  similar  to  the 
NIPC. 

To  improve  information  sharing,  we  recommended  in  our  April  report  that 
the  Assistant  to  the  President  for  National  Security  Affairs 

•  direct  federal  agencies  and  encourage  the  private  sector  to  better  define 
the  types  of  information  necessary  and  appropriate  to  exchange  in  order 
to  combat  computer-based  attacks  and  to  develop  procedures  for 
performing  such  exchanges, 

•  initiate  development  of  a  strategy  for  identifying  assets  of  national 
significance  that  includes  coordinating  efforts  already  underway,  and 

•  resolve  discrepancies  in  requirements  regarding  computer  incident 
reporting  by  federal  agencies. 
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We  also  recommended  that  the  Attorney  General  task  the  FBI  Director  to 

•  formalize  information-sharing  relationships  between  the  NIPC  and  other 
federal  entities  and  industry  sectors  and 

•  ensure  that  the  Key  Asset  Initiative  is  integrated  with  other  similar  federal 
activities. 

In  commenting  on  a  draft  of  this  report,  the  Special  Assistant  to  the 
President  and  Senior  Director  for  Legislative  Affairs  at  the  National 
Security  Council  said  that  the  administration  will  consider  our 
recommendations  as  it  reviews  federal  cyber  activities  to  determine  how 
the  critical  infrastructure  protection  function  should  be  organized. 


* 


* 


In  conclusion,  efforts  are  underway  to  mitigate  the  risks  of  computer- 
based  attacks  on  federal  information  systems  and  on  our  national 
computer  dependent  infrastructures.  However,  recent  reports  and  events 
indicate  that  these  efforts  are  not  keeping  pace  with  the  growing  threats 
and  that  critical  operations  and  assets  continue  to  be  highly  vulnerable  to 
computer-based  attacks.  The  evaluation  and  reporting  requirements  of  the 
new  Government  Information  Security  Reform  provisions  should  help 
provide  a  more  complete  and  accurate  picture  of  federal  security 
weaknesses  and  a  means  of  measuring  progress.  In  addition,  it  is 
important  that  the  government  ensure  that  our  nation  has  the  capability  to 
deal  with  the  growing  threat  of  computer-based  attacks  in  order  to 
mitigate  the  risk  of  serious  disruptions  and  damage  to  our  critical 
infrastructures.  The  analysis,  warning,  response,  and  information-sharing 
responsibilities  that  PDD  63  assigned  to  the  NIPC  are  important  elements 
of  this  capability.  However,  developing  the  needed  capabilities  will  require 
overcoming  many  challenges.  Meeting  these  challenges  will  not  be  easy 
and  will  require  clear  central  direction  and  dedication  of  expertise  and 
resources  from  multiple  federal  agencies,  as  well  as  private  sector  support. 

Mr.  Chairman,  this  concludes  my  statement.  I  would  be  pleased  to  answer 
any  questions  that  you  or  other  members  of  the  Committee  may  have  at 
this  time.  If  you  should  have  any  questions  later  about  this  testimony, 
please  contact  me  at  (202)  512-6253. 1  can  also  be  reached  by  e-mail  at 
willemssenj@gao.gov. 
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